From cbcf89c2acd4a56ca210668c3d77b454de81a83b Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <neels@hofmeyr.de>
Date: Tue, 13 Mar 2018 17:52:07 +0100
Subject: msc_vlr_test_call: reproduce OS#3062

A related ttcn3 test is added in Ic80646e1fba37bb6163ca3a7eead7980b4ad7a51

Related: OS#3062
Change-Id: Ice7197b48d4e163a3c4d97b559fdcd7e88c4107e
---
 tests/msc_vlr/msc_vlr_test_call.c   |  81 +++++++++
 tests/msc_vlr/msc_vlr_test_call.err | 346 ++++++++++++++++++++++++++++++++++++
 tests/msc_vlr/msc_vlr_tests.c       |   7 +
 tests/msc_vlr/msc_vlr_tests.h       |   2 +
 4 files changed, 436 insertions(+)

diff --git a/tests/msc_vlr/msc_vlr_test_call.c b/tests/msc_vlr/msc_vlr_test_call.c
index 6359865c7..9d4126e40 100644
--- a/tests/msc_vlr/msc_vlr_test_call.c
+++ b/tests/msc_vlr/msc_vlr_test_call.c
@@ -31,6 +31,12 @@ static void mncc_sends_to_cc(uint32_t msg_type, struct gsm_mncc *mncc)
 	mncc_tx_to_cc(net, msg_type, mncc);
 }
 
+static void on_call_release_mncc_sends_to_cc(uint32_t msg_type, struct gsm_mncc *mncc)
+{
+	mncc->msg_type = msg_type;
+	on_call_release_mncc_sends_to_cc_data = mncc;
+}
+
 #define IMSI "901700000010650"
 
 static void standard_lu()
@@ -334,6 +340,80 @@ static void test_call_mt()
 	comment_end();
 }
 
+static void test_call_mt2()
+{
+	struct gsm_mncc mncc = {
+		.imsi = IMSI,
+		.callref = 0x423,
+	};
+
+	comment_start();
+
+	fake_time_start();
+
+	standard_lu();
+
+	BTW("after a while, MNCC asks us to setup a call, causing Paging");
+	
+	paging_expect_imsi(IMSI);
+	paging_sent = false;
+	mncc_sends_to_cc(MNCC_SETUP_REQ, &mncc);
+
+	VERBOSE_ASSERT(paging_sent, == true, "%d");
+	VERBOSE_ASSERT(paging_stopped, == false, "%d");
+
+	btw("MS replies with Paging Response, and VLR sends Auth Request");
+	auth_request_sent = false;
+	auth_request_expect_rand = "c187a53a5e6b9d573cac7c74451fd46d";
+	auth_request_expect_autn = "1843a645b98d00005b2d666af46c45d9";
+	ms_sends_msg("062707"
+		     "03575886" /* classmark 2 */
+		     "089910070000106005" /* IMSI */);
+	VERBOSE_ASSERT(auth_request_sent, == true, "%d");
+
+	btw("MS sends Authen Response, VLR accepts and sends SecurityModeControl");
+	expect_security_mode_ctrl(NULL, "1159ec926a50e98c034a6b7d7c9f418d");
+	ms_sends_msg("0554" "7db47cf7" "2104" "f81e4dc7"); /* 2nd vector's res, s.a. */
+	VERBOSE_ASSERT(security_mode_ctrl_sent, == true, "%d");
+
+	btw("MS sends SecurityModeControl acceptance, VLR accepts, sends CC Setup");
+	dtap_expect_tx("0305" /* CC: Setup */);
+	ms_sends_security_mode_complete();
+	VERBOSE_ASSERT(paging_stopped, == true, "%d");
+
+	cc_to_mncc_expect_tx(IMSI, MNCC_CALL_CONF_IND);
+	ms_sends_msg("8348" /* CC: Call Confirmed */
+		     "0406600402000581" /* Bearer Capability */
+		     "15020100" /* Call Control Capabilities */
+		     "40080402600400021f00" /* Supported Codec List */);
+	OSMO_ASSERT(cc_to_mncc_tx_confirmed);
+
+	fake_time_passes(1, 23);
+
+	cc_to_mncc_expect_tx("", MNCC_ALERT_IND);
+	ms_sends_msg("8381" /* CC: Alerting */);
+	OSMO_ASSERT(cc_to_mncc_tx_confirmed);
+
+	fake_time_passes(15, 23);
+
+	btw("The call failed, the BSC sends a BSSMAP Clear Request");
+	on_call_release_mncc_sends_to_cc(MNCC_REL_REQ, &mncc);
+	cc_to_mncc_expect_tx("", MNCC_REL_CNF);
+	dtap_expect_tx("032d"); /* CC: Release */
+	expect_iu_release();
+	msc_clear_request(g_conn, 0);
+	OSMO_ASSERT(cc_to_mncc_tx_confirmed);
+	OSMO_ASSERT(iu_release_sent);
+
+	EXPECT_CONN_COUNT(0);
+
+	/* Make sure a pending release timer doesn't fire later to access freed data */
+	fake_time_passes(15, 23);
+
+	clear_vlr();
+	comment_end();
+}
+
 static void test_call_mo_to_unknown()
 {
 	struct gsm_mncc mncc = {
@@ -497,6 +577,7 @@ static void test_call_mo_to_unknown_timeout()
 msc_vlr_test_func_t msc_vlr_tests[] = {
 	test_call_mo,
 	test_call_mt,
+	test_call_mt2,
 	test_call_mo_to_unknown,
 	test_call_mo_to_unknown_timeout,
 	NULL
diff --git a/tests/msc_vlr/msc_vlr_test_call.err b/tests/msc_vlr/msc_vlr_test_call.err
index 281f41880..6142464e9 100644
--- a/tests/msc_vlr/msc_vlr_test_call.err
+++ b/tests/msc_vlr/msc_vlr_test_call.err
@@ -757,6 +757,352 @@ DREF freeing VLR subscr MSISDN:42342
 full talloc report on 'msgb' (total      0 bytes in   1 blocks)
 talloc_total_blocks(tall_bsc_ctx) == 12
 
+===== test_call_mt2
+- Total time passed: 0.000000 s
+- Location Update request causes a GSUP Send Auth Info request to HLR
+  MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_MM_LOC_UPD_REQUEST
+  new conn
+DREF unknown: MSC conn use + compl_l3 == 1 (0x1)
+DRLL Dispatching 04.08 message GSM48_MT_MM_LOC_UPD_REQUEST (0x5:0x8)
+DREF unknown: MSC conn use + fsm == 2 (0x5)
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: Allocated
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: Received Event SUBSCR_CONN_E_START
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: state_chg to SUBSCR_CONN_S_NEW
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: Updated ID from LU
+DMM LOCATION UPDATING REQUEST: MI(IMSI)=901700000010650 type=NORMAL
+DMM LU/new-LAC: 23/23
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: Allocated
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: is child of Subscr_Conn(901700000010650)
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: rev=R99 net=UTRAN Auth+Ciph
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: Received Event VLR_ULA_E_UPDATE_LA
+DREF VLR subscr unknown usage increases to: 1
+DVLR set IMSI on subscriber; IMSI=901700000010650 id=901700000010650
+DVLR New subscr, IMSI: 901700000010650
+DREF VLR subscr IMSI:901700000010650 usage increases to: 2
+DREF VLR subscr IMSI:901700000010650 usage decreases to: 1
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: vlr_loc_upd_node1()
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: state_chg to VLR_ULA_S_WAIT_AUTH
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: Allocated
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: is child of vlr_lu_fsm(901700000010650)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: Received Event VLR_AUTH_E_START
+DVLR GSUP tx: 08010809710000000156f0
+GSUP --> HLR: OSMO_GSUP_MSGT_SEND_AUTH_INFO_REQUEST: 08010809710000000156f0
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: state_chg to VLR_SUB_AS_NEEDS_AUTH_WAIT_AI
+DMM IMSI:901700000010650: subscr_conn_release_when_unused: conn still being established (SUBSCR_CONN_S_NEW)
+DREF IMSI:901700000010650: MSC conn use - compl_l3 == 1 (0x4)
+  lu_result_sent == 0
+- from HLR, rx _SEND_AUTH_INFO_RESULT; VLR sends Auth Req to MS
+<-- GSUP rx OSMO_GSUP_MSGT_SEND_AUTH_INFO_RESULT: 0a010809710000000156f00362201039fa2f4e3d523d8619a73b4f65c3e14d21049b36efdf2208059a4f668f6fbe39231027497388b6cb044648f396aa155b95ef2410f64735036e5871319c679f4742a75ea125108704f5ba55f30000d2ee44b22c8ea9192708e229c19e791f2e4103622010c187a53a5e6b9d573cac7c74451fd46d210485aa31302208d3d50a000bf04f6e23101159ec926a50e98c034a6b7d7c9f418d2410df3a03d9ca5335641efc8e36d76cd20b25101843a645b98d00005b2d666af46c45d927087db47cf7f81e4dc703622010efa9c29a9742148d5c9070348716e1bb210469d5f9fb22083df176f0c29f1a3d2310eb50e770ddcc3060101d2f43b6c2b884241076542abce5ff9345b0e8947f4c6e019c2510f9375e6d41e1000096e7fe4ff1c27e392708706f996719ba609c03622010f023d5a3b24726e0631b64b3840f82532104d570c03f2208ec011be8919883d62310c4e58af4ba43f3bcd904e16984f086d724100593f65e752e5cb7f473862bda05aa0a2510541ff1f077270000c5ea00d658bc7e9a27083fd26072eaa2a04d036220102f8f90c780d6a9c0c53da7ac57b6707e2104b072446f220823f39f9f425ad6e6231065af0527fda95b0dc5ae4aa515cdf32f2410537c3b35a3b13b08d08eeb28098f45cc25104bf4e564f75300009bc796706bc6574427080edb0eadbea94ac2
+DVLR GSUP rx 511: 0a010809710000000156f00362201039fa2f4e3d523d8619a73b4f65c3e14d21049b36efdf2208059a4f668f6fbe39231027497388b6cb044648f396aa155b95ef2410f64735036e5871319c679f4742a75ea125108704f5ba55f30000d2ee44b22c8ea9192708e229c19e791f2e4103622010c187a53a5e6b9d573cac7c74451fd46d210485aa31302208d3d50a000bf04f6e23101159ec926a50e98c034a6b7d7c9f418d2410df3a03d9ca5335641efc8e36d76cd20b25101843a645b98d00005b2d666af46c45d927087db47cf7f81e4dc703622010efa9c29a9742148d5c9070348716e1bb210469d5f9fb22083df176f0c29f1a3d2310eb50e770ddcc3060101d2f43b6c2b884241076542abce5ff9345b0e8947f4c6e019c2510f9375e6d41e1000096e7fe4ff1c27e392708706f996719ba609c03622010f023d5a3b24726e0631b64b3840f82532104d570c03f2208ec011be8919883d62310c4e58af4ba43f3bcd904e16984f086d724100593f65e752e5cb7f473862bda05aa0a2510541ff1f077270000c5ea00d658bc7e9a27083fd26072eaa2a04d036220102f8f90c780d6a9c0c53da7ac57b6707e2104b072446f220823f39f9f425ad6e6231065af0527fda95b0dc5ae4aa515cdf32f2410537c3b35a3b13b08d08eeb28098f45cc25104bf4e564f75300009bc796706bc6574427080edb0eadbea94ac2
+DREF VLR subscr IMSI:901700000010650 usage increases to: 2
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH_WAIT_AI}: Received Event VLR_AUTH_E_HLR_SAI_ACK
+DVLR SUBSCR(IMSI:901700000010650) Received 5 auth tuples
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH_WAIT_AI}: state_chg to VLR_SUB_AS_WAIT_RESP
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: got auth tuple: use_count=1 key_seq=0 -- will use UMTS AKA (is_r99=yes, at->vec.auth_types=0x3)
+- sending UMTS Auth Request for IMSI:901700000010650: tuple use_count=1 key_seq=0 auth_types=0x3 and...
+- ...rand=39fa2f4e3d523d8619a73b4f65c3e14d
+- ...autn=8704f5ba55f30000d2ee44b22c8ea919
+- ...expecting res=e229c19e791f2e41
+DREF VLR subscr IMSI:901700000010650 usage decreases to: 1
+<-- GSUP rx OSMO_GSUP_MSGT_SEND_AUTH_INFO_RESULT: vlr_gsupc_read_cb() returns 0
+  auth_request_sent == 1
+  lu_result_sent == 0
+- MS sends Authen Response, VLR accepts and sends SecurityModeControl
+  MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_MM_AUTH_RESP
+DREF IMSI:901700000010650: MSC conn use + dtap == 2 (0x6)
+DRLL Dispatching 04.08 message GSM48_MT_MM_AUTH_RESP (0x5:0x14)
+DMM IMSI:901700000010650: MM UMTS AUTHENTICATION RESPONSE (res = e229c19e791f2e41)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: Received Event VLR_AUTH_E_MS_AUTH_RESP
+DVLR SUBSCR(IMSI:901700000010650) AUTH on UTRAN received RES: e229c19e791f2e41 (8 bytes)
+DVLR SUBSCR(IMSI:901700000010650) AUTH established UMTS security context
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: Authentication terminating with result VLR_AUTH_RES_PASSED
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: state_chg to VLR_SUB_AS_AUTHENTICATED
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Removing from parent vlr_lu_fsm(901700000010650)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Freeing instance
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Deallocated
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: Set Ciphering Mode
+DMM -> SECURITY MODE CONTROL IMSI:901700000010650
+- sending SecurityModeControl for UE ctx 42 send_ck=0 new_key=1
+- ...ik=27497388b6cb044648f396aa155b95ef
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
+DMM IMSI:901700000010650: subscr_conn_release_when_unused: conn still being established (SUBSCR_CONN_S_NEW)
+DREF IMSI:901700000010650: MSC conn use - dtap == 1 (0x4)
+  security_mode_ctrl_sent == 1
+  lu_result_sent == 0
+- MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR
+DMM <- SECURITY MODE COMPLETE IMSI:901700000010650
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: Received Event VLR_ULA_E_CIPH_RES
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: vlr_loc_upd_post_ciph()
+DIUCS IMSI:901700000010650: tx CommonID 901700000010650
+- Iu Common ID --RAN_UTRAN_IU--> MS (IMSI=901700000010650)
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: vlr_loc_upd_node_4()
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: state_chg to VLR_ULA_S_WAIT_HLR_UPD
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Allocated
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: is child of vlr_lu_fsm(901700000010650)
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Received Event UPD_HLR_VLR_E_START
+DVLR GSUP tx: 04010809710000000156f0
+GSUP --> HLR: OSMO_GSUP_MSGT_UPDATE_LOCATION_REQUEST: 04010809710000000156f0
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: state_chg to UPD_HLR_VLR_S_WAIT_FOR_DATA
+  gsup_tx_confirmed == 1
+  lu_result_sent == 0
+- HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT
+<-- GSUP rx OSMO_GSUP_MSGT_INSERT_DATA_REQUEST: 10010809710000000156f00804032443f2
+DVLR GSUP rx 17: 10010809710000000156f00804032443f2
+DREF VLR subscr IMSI:901700000010650 usage increases to: 2
+DVLR IMSI:901700000010650 has MSISDN:42342
+DVLR SUBSCR(MSISDN:42342) VLR: update for IMSI=901700000010650 (MSISDN=42342, used=2)
+DVLR GSUP tx: 12010809710000000156f0
+GSUP --> HLR: OSMO_GSUP_MSGT_INSERT_DATA_RESULT: 12010809710000000156f0
+DREF VLR subscr MSISDN:42342 usage decreases to: 1
+<-- GSUP rx OSMO_GSUP_MSGT_INSERT_DATA_REQUEST: vlr_gsupc_read_cb() returns 0
+  lu_result_sent == 0
+- HLR also sends GSUP _UPDATE_LOCATION_RESULT
+<-- GSUP rx OSMO_GSUP_MSGT_UPDATE_LOCATION_RESULT: 06010809710000000156f0
+DVLR GSUP rx 11: 06010809710000000156f0
+DREF VLR subscr MSISDN:42342 usage increases to: 2
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_HLR_UPD}: Received Event VLR_ULA_E_HLR_LU_RES
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_WAIT_FOR_DATA}: Received Event UPD_HLR_VLR_E_UPD_LOC_ACK
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_WAIT_FOR_DATA}: state_chg to UPD_HLR_VLR_S_DONE
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_DONE}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_DONE}: Removing from parent vlr_lu_fsm(901700000010650)
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_DONE}: Freeing instance
+DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_DONE}: Deallocated
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_HLR_UPD}: Received Event VLR_ULA_E_UPD_HLR_COMPL
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_HLR_UPD}: state_chg to VLR_ULA_S_WAIT_LU_COMPL
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_INIT}: Allocated
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_INIT}: is child of vlr_lu_fsm(901700000010650)
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_INIT}: Received Event LU_COMPL_VLR_E_START
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_INIT}: state_chg to LU_COMPL_VLR_S_WAIT_SUB_PRES
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_INIT}: Allocated
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_INIT}: is child of lu_compl_vlr_fsm(901700000010650)
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_INIT}: Received Event SUB_PRES_VLR_E_START
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_INIT}: state_chg to SUB_PRES_VLR_S_DONE
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_DONE}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_DONE}: Removing from parent lu_compl_vlr_fsm(901700000010650)
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_DONE}: Freeing instance
+DVLR sub_pres_vlr_fsm(901700000010650){SUB_PRES_VLR_S_DONE}: Deallocated
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_WAIT_SUB_PRES}: Received Event LU_COMPL_VLR_E_SUB_PRES_COMPL
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_WAIT_SUB_PRES}: lu_compl_vlr_new_tmsi()
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_WAIT_SUB_PRES}: state_chg to LU_COMPL_VLR_S_WAIT_TMSI_CNF
+- sending LU Accept for MSISDN:42342, with TMSI 0x03020100
+DREF VLR subscr MSISDN:42342 usage decreases to: 1
+<-- GSUP rx OSMO_GSUP_MSGT_UPDATE_LOCATION_RESULT: vlr_gsupc_read_cb() returns 0
+  lu_result_sent == 1
+- a LU Accept with a new TMSI was sent, waiting for TMSI Realloc Compl
+  llist_count(&net->subscr_conns) == 1
+msc_subscr_conn_is_accepted() == false
+- MS sends TMSI Realloc Complete
+  MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_MM_TMSI_REALL_COMPL
+DREF MSISDN:42342: MSC conn use + dtap == 2 (0x6)
+DRLL Dispatching 04.08 message GSM48_MT_MM_TMSI_REALL_COMPL (0x5:0x1b)
+DMM TMSI Reallocation Completed. Subscriber: MSISDN:42342
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_LU_COMPL}: Received Event VLR_ULA_E_NEW_TMSI_ACK
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_WAIT_TMSI_CNF}: Received Event LU_COMPL_VLR_E_NEW_TMSI_ACK
+DREF VLR subscr MSISDN:42342 usage increases to: 2
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_WAIT_TMSI_CNF}: state_chg to LU_COMPL_VLR_S_DONE
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_LU_COMPL}: Received Event VLR_ULA_E_LU_COMPL_SUCCESS
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_DONE}: Terminating (cause = OSMO_FSM_TERM_PARENT)
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_DONE}: Removing from parent vlr_lu_fsm(901700000010650)
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_DONE}: Freeing instance
+DVLR lu_compl_vlr_fsm(901700000010650){LU_COMPL_VLR_S_DONE}: Deallocated
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_LU_COMPL}: state_chg to VLR_ULA_S_DONE
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: Received Event SUBSCR_CONN_E_ACCEPTED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: state_chg to SUBSCR_CONN_S_ACCEPTED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: Received Event SUBSCR_CONN_E_RELEASE_WHEN_UNUSED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: subscr_conn_fsm_release_when_unused: releasing conn
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: state_chg to SUBSCR_CONN_S_RELEASED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_DONE}: Terminating (cause = OSMO_FSM_TERM_PARENT)
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_DONE}: Removing from parent Subscr_Conn(901700000010650)
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_DONE}: fsm_lu_cleanup called with cause OSMO_FSM_TERM_PARENT
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_DONE}: Freeing instance
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_DONE}: Deallocated
+DMM msc_subscr_conn_close(vsub=MSISDN:42342, cause=2): no conn fsm, releasing directly without release event.
+- Iu Release --RAN_UTRAN_IU--> MS
+DREF MSISDN:42342: MSC conn use - fsm == 1 (0x2)
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Freeing instance
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Deallocated
+DREF MSISDN:42342: MSC conn use - dtap == 0 (0x0)
+DRLL subscr MSISDN:42342: Freeing subscriber connection
+DREF VLR subscr MSISDN:42342 usage decreases to: 1
+  iu_release_sent == 1
+- LU was successful, and the conn has already been closed
+  llist_count(&net->subscr_conns) == 0
+DREF VLR subscr MSISDN:42342 usage increases to: 2
+  vsub != NULL == 1
+  strcmp(vsub->imsi, IMSI) == 0
+  vsub->lac == 23
+DREF VLR subscr MSISDN:42342 usage decreases to: 1
+---
+- after a while, MNCC asks us to setup a call, causing Paging
+DMNCC receive message MNCC_SETUP_REQ
+DREF VLR subscr MSISDN:42342 usage increases to: 2
+DCC (ti ff sub MSISDN:42342 callref 423) New transaction
+DREF VLR subscr MSISDN:42342 usage increases to: 3
+DMM Subscriber MSISDN:42342 not paged yet, start paging.
+  RAN_UTRAN_IU sends out paging request to IMSI 901700000010650, TMSI 0x03020100, LAC 23
+  strcmp(paging_expecting_imsi, imsi) == 0
+DREF VLR subscr MSISDN:42342 usage increases to: 4
+DREF VLR subscr MSISDN:42342 usage decreases to: 3
+  paging_sent == 1
+  paging_stopped == 0
+- MS replies with Paging Response, and VLR sends Auth Request
+  MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_RR_PAG_RESP
+  new conn
+DREF unknown: MSC conn use + compl_l3 == 1 (0x1)
+DRLL Dispatching 04.08 message GSM48_MT_RR_PAG_RESP (0x6:0x27)
+DRR PAGING RESPONSE: MI(IMSI)=901700000010650
+DREF unknown: MSC conn use + fsm == 2 (0x5)
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: Allocated
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: Received Event SUBSCR_CONN_E_START
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: state_chg to SUBSCR_CONN_S_NEW
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: Updated ID from PAGING_RESP
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: Allocated
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: is child of Subscr_Conn(901700000010650)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: rev=R99 net=UTRAN Auth+Ciph
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: Received Event PR_ARQ_E_START
+DREF VLR subscr MSISDN:42342 usage increases to: 4
+DREF VLR subscr MSISDN:42342 usage increases to: 5
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: proc_arq_vlr_fn_post_imsi()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: state_chg to PR_ARQ_S_WAIT_AUTH
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: Allocated
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: is child of Process_Access_Request_VLR(901700000010650)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: Received Event VLR_AUTH_E_START
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_NEEDS_AUTH}: state_chg to VLR_SUB_AS_WAIT_RESP
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: got auth tuple: use_count=1 key_seq=1 -- will use UMTS AKA (is_r99=yes, at->vec.auth_types=0x3)
+- sending UMTS Auth Request for MSISDN:42342: tuple use_count=1 key_seq=1 auth_types=0x3 and...
+- ...rand=c187a53a5e6b9d573cac7c74451fd46d
+- ...autn=1843a645b98d00005b2d666af46c45d9
+- ...expecting res=7db47cf7f81e4dc7
+DREF VLR subscr MSISDN:42342 usage decreases to: 4
+DMM MSISDN:42342: subscr_conn_release_when_unused: conn still being established (SUBSCR_CONN_S_NEW)
+DREF MSISDN:42342: MSC conn use - compl_l3 == 1 (0x4)
+  auth_request_sent == 1
+- MS sends Authen Response, VLR accepts and sends SecurityModeControl
+  MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_MM_AUTH_RESP
+DREF MSISDN:42342: MSC conn use + dtap == 2 (0x6)
+DRLL Dispatching 04.08 message GSM48_MT_MM_AUTH_RESP (0x5:0x14)
+DMM MSISDN:42342: MM UMTS AUTHENTICATION RESPONSE (res = 7db47cf7f81e4dc7)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: Received Event VLR_AUTH_E_MS_AUTH_RESP
+DVLR SUBSCR(MSISDN:42342) AUTH on UTRAN received RES: 7db47cf7f81e4dc7 (8 bytes)
+DVLR SUBSCR(MSISDN:42342) AUTH established UMTS security context
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: Authentication terminating with result VLR_AUTH_RES_PASSED
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_WAIT_RESP}: state_chg to VLR_SUB_AS_AUTHENTICATED
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Removing from parent Process_Access_Request_VLR(901700000010650)
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Freeing instance
+DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Deallocated
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: Received Event PR_ARQ_E_AUTH_RES
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: got VLR_AUTH_RES_PASSED
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: Set Ciphering Mode
+DMM -> SECURITY MODE CONTROL MSISDN:42342
+- sending SecurityModeControl for UE ctx 42 send_ck=0 new_key=1
+- ...ik=1159ec926a50e98c034a6b7d7c9f418d
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
+DMM MSISDN:42342: subscr_conn_release_when_unused: conn still being established (SUBSCR_CONN_S_NEW)
+DREF MSISDN:42342: MSC conn use - dtap == 1 (0x4)
+  security_mode_ctrl_sent == 1
+- MS sends SecurityModeControl acceptance, VLR accepts, sends CC Setup
+DMM <- SECURITY MODE COMPLETE MSISDN:42342
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: Received Event PR_ARQ_E_CIPH_RES
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_node2_post_ciph()
+DIUCS MSISDN:42342: tx CommonID 901700000010650
+- Iu Common ID --RAN_UTRAN_IU--> MS (IMSI=901700000010650)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_node2_post_vlr()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_pres()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_trace()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_imei()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: proc_arq_fsm_done(VLR_PR_ARQ_RES_PASSED)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: state_chg to PR_ARQ_S_DONE
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Process Access Request result: VLR_PR_ARQ_RES_PASSED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: Received Event SUBSCR_CONN_E_ACCEPTED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: state_chg to SUBSCR_CONN_S_ACCEPTED
+DPAG Paging success for MSISDN:42342 (event=0)
+DPAG Calling paging cbfn.
+DCC Paging subscr 42342 succeeded!
+DREF MSISDN:42342: MSC conn use + trans_cc == 2 (0xc)
+DCC starting timer T303 with 30 seconds
+DCC (ti 00 sub MSISDN:42342) new state NULL -> CALL_PRESENT
+DMSC msc_tx 2 bytes to MSISDN:42342 via RAN_UTRAN_IU
+- DTAP --RAN_UTRAN_IU--> MS: GSM48_MT_CC_SETUP: 0305
+- DTAP matches expected message
+DREF VLR subscr MSISDN:42342 usage decreases to: 3
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: Received Event SUBSCR_CONN_E_RELEASE_WHEN_UNUSED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: subscr_conn_fsm_release_when_unused: connection still has active transaction: CC
+  paging_stopped == 1
+  MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_CC_CALL_CONF
+DREF MSISDN:42342: MSC conn use + dtap == 3 (0xe)
+DRLL Dispatching 04.08 message GSM48_MT_CC_CALL_CONF (0x3:0x8)
+DCC stopping pending timer T303
+DCC starting timer T310 with 30 seconds
+DCC (ti 00 sub MSISDN:42342) new state CALL_PRESENT -> MO_TERM_CALL_CONF
+  MS <--Call Assignment-- MSC: subscr=MSISDN:42342 callref=0x423
+DMNCC transmit message MNCC_CALL_CONF_IND
+DCC Sending 'MNCC_CALL_CONF_IND' to MNCC.
+  MSC --> MNCC: callref 0x423: MNCC_CALL_CONF_IND
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: Received Event SUBSCR_CONN_E_COMMUNICATING
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: state_chg to SUBSCR_CONN_S_COMMUNICATING
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_RELEASE_WHEN_UNUSED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: subscr_conn_fsm_release_when_unused: connection still has active transaction: CC
+DREF MSISDN:42342: MSC conn use - dtap == 2 (0xc)
+- Total time passed: 1.000023 s
+  MSC <--RAN_UTRAN_IU-- MS: GSM48_MT_CC_ALERTING
+DREF MSISDN:42342: MSC conn use + dtap == 3 (0xe)
+DRLL Dispatching 04.08 message GSM48_MT_CC_ALERTING (0x3:0x1)
+DCC stopping pending timer T310
+DCC starting timer T301 with 180 seconds
+DCC (ti 00 sub MSISDN:42342) new state MO_TERM_CALL_CONF -> CALL_RECEIVED
+DMNCC transmit message MNCC_ALERT_IND
+DCC Sending 'MNCC_ALERT_IND' to MNCC.
+  MSC --> MNCC: callref 0x423: MNCC_ALERT_IND
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_COMMUNICATING
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_RELEASE_WHEN_UNUSED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: subscr_conn_fsm_release_when_unused: connection still has active transaction: CC
+DREF MSISDN:42342: MSC conn use - dtap == 2 (0xc)
+- Total time passed: 16.000046 s
+- The call failed, the BSC sends a BSSMAP Clear Request
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: Received Event SUBSCR_CONN_E_CN_CLOSE
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_COMMUNICATING}: state_chg to SUBSCR_CONN_S_RELEASED
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Terminating (cause = OSMO_FSM_TERM_PARENT)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Removing from parent Subscr_Conn(901700000010650)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Freeing instance
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Deallocated
+DMM msc_subscr_conn_close(vsub=MSISDN:42342, cause=2): no conn fsm, releasing directly without release event.
+DCC stopping pending timer T301
+  MS <--Call Release-- MSC: subscr=MSISDN:42342 callref=0x423
+DMNCC receive message MNCC_REL_REQ
+DCC (ti 00 sub 42342) Received 'MNCC_REL_REQ' from MNCC in state 7 (CALL_RECEIVED)
+DCC starting timer T308 with 10 seconds
+DCC (ti 00 sub MSISDN:42342) new state CALL_RECEIVED -> RELEASE_REQ
+DMSC msc_tx 2 bytes to MSISDN:42342 via RAN_UTRAN_IU
+- DTAP --RAN_UTRAN_IU--> MS: GSM48_MT_CC_RELEASE: 032d
+- DTAP matches expected message
+DMNCC transmit message MNCC_REL_CNF
+DCC Sending 'MNCC_REL_CNF' to MNCC.
+  MSC --> MNCC: callref 0x423: MNCC_REL_CNF
+DCC (ti 00 sub MSISDN:42342) new state RELEASE_REQ -> NULL
+DCC MSISDN:42342 Timer 0x308 is still running while discarding transaction -- this is a bug: we were still expecting a response but are freeing the transaction anyway
+DREF VLR subscr MSISDN:42342 usage decreases to: 2
+DREF MSISDN:42342: MSC conn use - trans_cc == 1 (0x4)
+- Iu Release --RAN_UTRAN_IU--> MS
+DREF MSISDN:42342: MSC conn use - fsm == 0 (0x0)
+DRLL subscr MSISDN:42342: Freeing subscriber connection
+DREF VLR subscr MSISDN:42342 usage decreases to: 1
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Freeing instance
+DMM Subscr_Conn(901700000010650){SUBSCR_CONN_S_RELEASED}: Deallocated
+  llist_count(&net->subscr_conns) == 0
+- Total time passed: 31.000069 s
+DREF freeing VLR subscr MSISDN:42342
+===== test_call_mt2: SUCCESS
+
+full talloc report on 'msgb' (total      0 bytes in   1 blocks)
+talloc_total_blocks(tall_bsc_ctx) == 12
+
 ===== test_call_mo_to_unknown
 - Total time passed: 0.000000 s
 - Location Update request causes a GSUP Send Auth Info request to HLR
diff --git a/tests/msc_vlr/msc_vlr_tests.c b/tests/msc_vlr/msc_vlr_tests.c
index 45ab5e113..cb716a876 100644
--- a/tests/msc_vlr/msc_vlr_tests.c
+++ b/tests/msc_vlr/msc_vlr_tests.c
@@ -616,12 +616,19 @@ int __wrap_msc_mgcp_call_assignment(struct gsm_trans *trans)
 	return 0;
 }
 
+struct gsm_mncc *on_call_release_mncc_sends_to_cc_data = NULL;
+
 /* override, requires '-Wl,--wrap=msc_mgcp_call_release' */
 void __real_msc_mgcp_call_release(struct gsm_trans *trans);
 void __wrap_msc_mgcp_call_release(struct gsm_trans *trans)
 {
 	log("MS <--Call Release-- MSC: subscr=%s callref=0x%x",
 	    vlr_subscr_name(trans->vsub), trans->callref);
+	if (on_call_release_mncc_sends_to_cc_data) {
+		mncc_tx_to_cc(trans->net, on_call_release_mncc_sends_to_cc_data->msg_type,
+			      on_call_release_mncc_sends_to_cc_data);
+		on_call_release_mncc_sends_to_cc_data = NULL;
+	}
 }
 
 static int fake_vlr_tx_lu_acc(void *msc_conn_ref, uint32_t send_tmsi)
diff --git a/tests/msc_vlr/msc_vlr_tests.h b/tests/msc_vlr/msc_vlr_tests.h
index 858936c1c..15df9ec78 100644
--- a/tests/msc_vlr/msc_vlr_tests.h
+++ b/tests/msc_vlr/msc_vlr_tests.h
@@ -112,6 +112,8 @@ extern const char *cc_to_mncc_tx_expected_imsi;
 extern bool cc_to_mncc_tx_confirmed;
 extern uint32_t cc_to_mncc_tx_got_callref;
 
+extern struct gsm_mncc *on_call_release_mncc_sends_to_cc_data;
+
 static inline void expect_iu_release()
 {
 	iu_release_expected = true;
-- 
cgit v1.2.3